The following reply was made to PR mod_proxy/3801; it has been noted by GNATS.
From: Vladi Modilevsky <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: mod_proxy/3801: Using proxy tunneling fails (tested with port 443) Date: Sat, 30 Jan 1999 16:05:46 -0600 --=====================_917755546==_ Content-Type: text/plain; charset="us-ascii" At 09:50 PM 1/30/99 -0000, you wrote: >Thank you very much for your problem report. >It has the internal identification `mod_proxy/3801'. >The individual assigned to look at your >report is: apache. > >>Category: mod_proxy >>Responsible: apache >>Synopsis: Using proxy tunneling fails (tested with port 443) >>Arrival-Date: Sat Jan 30 13:50:01 PST 1999 > > i'm including the fix, thank you. [EMAIL PROTECTED] --=====================_917755546==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="proxy_connect.c" /* ==================================================================== * Copyright (c) 1996-1999 The Apache Group. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the Apache Group * for use in the Apache HTTP server project (http://www.apache.org/)." * * 4. The names "Apache Server" and "Apache Group" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the Apache Group * for use in the Apache HTTP server project (http://www.apache.org/)." * * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Group and was originally based * on public domain software written at the National Center for * Supercomputing Applications, University of Illinois, Urbana-Champaign. * For more information on the Apache Group and the Apache HTTP server * project, please see <http://www.apache.org/>. * */ /* CONNECT method for Apache proxy */ #include "mod_proxy.h" #include "http_log.h" #include "http_main.h" #ifdef HAVE_BSTRING_H #include <bstring.h> /* for IRIX, FD_SET calls bzero() */ #endif DEF_Explain /* * This handles Netscape CONNECT method secure proxy requests. * A connection is opened to the specified host and data is * passed through between the WWW site and the browser. * * This code is based on the INTERNET-DRAFT document * "Tunneling SSL Through a WWW Proxy" currently at * http://www.mcom.com/newsref/std/tunneling_ssl.html. * * If proxyhost and proxyport are set, we send a CONNECT to * the specified proxy.. * * FIXME: this is bad, because it does its own socket I/O * instead of using the I/O in buff.c. However, * the I/O in buff.c blocks on reads, and because * this function doesn't know how much data will * be sent either way (or when) it can't use blocking * I/O. This may be very implementation-specific * (to Linux). Any suggestions? * FIXME: this doesn't log the number of bytes sent, but * that may be okay, since the data is supposed to * be transparent. In fact, this doesn't log at all * yet. 8^) * FIXME: doesn't check any headers initally sent from the * client. * FIXME: should allow authentication, but hopefully the * generic proxy authentication is good enough. * FIXME: no check for r->assbackwards, whatever that is. */ static int allowed_port(proxy_server_conf *conf, int port) { int i; int *list = (int *) conf->allowed_connect_ports->elts; for(i = 0; i < conf->allowed_connect_ports->nelts; i++) { if(port == list[i]) return 1; } return 0; } int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url, const char *proxyhost, int proxyport) { struct sockaddr_in server; struct in_addr destaddr; struct hostent server_hp; const char *host, *err; char *p; int port, sock; char buffer[HUGE_STRING_LEN]; int nbytes, i, j; fd_set fds; void *sconf = r->server->module_config; proxy_server_conf *conf = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module); struct noproxy_entry *npent = (struct noproxy_entry *) conf->noproxies->elts; memset(&server, '\0', sizeof(server)); server.sin_family = AF_INET; /* Break the URL into host:port pairs */ host = url; p = strchr(url, ':'); if (p == NULL) port = DEFAULT_HTTPS_PORT; else { port = atoi(p + 1); *p = '\0'; } /* check if ProxyBlock directive on this host */ destaddr.s_addr = ap_inet_addr(host); for (i = 0; i < conf->noproxies->nelts; i++) { if ((npent[i].name != NULL && strstr(host, npent[i].name) != NULL) || destaddr.s_addr == npent[i].addr.s_addr || npent[i].name[0] == '*') return ap_proxyerror(r, "Connect to remote machine blocked"); } /* Check if it is an allowed port */ if (conf->allowed_connect_ports->nelts == 0) { /* Default setting if not overridden by AllowCONNECT */ switch (port) { case DEFAULT_HTTPS_PORT: case DEFAULT_SNEWS_PORT: break; default: return HTTP_FORBIDDEN; } } else if(!allowed_port(conf, port)) return HTTP_FORBIDDEN; if (proxyhost) { Explain2("CONNECT to remote proxy %s on port %d", proxyhost, proxyport); } else { Explain2("CONNECT to %s on port %d", host, port); } server.sin_port = (proxyport ? htons(proxyport) : htons(port)); err = ap_proxy_host2addr(proxyhost ? proxyhost : host, &server_hp); if (err != NULL) return ap_proxyerror(r, err); /* give up */ sock = ap_psocket(r->pool, PF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { ap_log_rerror(APLOG_MARK, APLOG_ERR, r, "proxy: error creating socket"); return HTTP_INTERNAL_SERVER_ERROR; } #ifndef WIN32 if (sock >= FD_SETSIZE) { ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, NULL, "proxy_connect_handler: filedescriptor (%u) " "larger than FD_SETSIZE (%u) " "found, you probably need to rebuild Apache with a " "larger FD_SETSIZE", sock, FD_SETSIZE); ap_pclosesocket(r->pool, sock); return HTTP_INTERNAL_SERVER_ERROR; } #endif j = 0; while (server_hp.h_addr_list[j] != NULL) { memcpy(&server.sin_addr, server_hp.h_addr_list[j], sizeof(struct in_addr)); i = ap_proxy_doconnect(sock, &server, r); if (i == 0) break; j++; } if (i == -1) { ap_pclosesocket(r->pool, sock); return ap_proxyerror(r, ap_pstrcat(r->pool, "Could not connect to remote machine:<br>", strerror(errno), NULL)); } /* If we are connecting through a remote proxy, we need to pass * the CONNECT request on to it. */ if (proxyport) { /* FIXME: We should not be calling write() directly, but we currently * have no alternative. Error checking ignored. Also, we force * a HTTP/1.0 request to keep things simple. */ Explain0("Sending the CONNECT request to the remote proxy"); ap_snprintf(buffer, sizeof(buffer), "CONNECT %s HTTP/1.0" CRLF, r->uri); #if defined(WIN32) send(sock, buffer, strlen(buffer), 0 ); #else write(sock, buffer, strlen(buffer)); #endif ap_snprintf(buffer, sizeof(buffer), "Proxy-agent: %s" CRLF CRLF, ap_get_server_version()); #if defined(WIN32) send(sock, buffer, strlen(buffer), 0); #else write(sock, buffer, strlen(buffer)); #endif } else { Explain0("Returning 200 OK Status"); #if defined(WIN32) sprintf( buffer, "%s\x0d\x0a%s %s\x0d\x0a\x0d\x0a", "HTTP/1.0 200 Connection established", "Proxy-agent:", ap_get_server_version() ); send(r->connection->client->fd, buffer, strlen(buffer), 0); #else ap_rvputs(r, "HTTP/1.0 200 Connection established" CRLF, NULL); ap_rvputs(r, "Proxy-agent: ", ap_get_server_version(), CRLF CRLF, NULL); ap_bflush(r->connection->client); #endif } while (1) { /* Infinite loop until error (one side closes the connection) */ FD_ZERO(&fds); FD_SET(sock, &fds); FD_SET(r->connection->client->fd, &fds); Explain0("Going to sleep (select)"); i = ap_select((r->connection->client->fd > sock ? r->connection->client->fd + 1 : sock + 1), &fds, NULL, NULL, NULL); Explain1("Woke from select(), i=%d", i); if (i) { if (FD_ISSET(sock, &fds)) { Explain0("sock was set"); #if defined(WIN32) if ((nbytes = recv(sock, buffer, HUGE_STRING_LEN, 0)) != 0) { #else if ((nbytes = read(sock, buffer, HUGE_STRING_LEN)) != 0) { #endif if (nbytes == -1) break; #if defined(WIN32) if (send(r->connection->client->fd, buffer, nbytes, 0) == EOF) #else if (write(r->connection->client->fd, buffer, nbytes) == EOF) #endif break; Explain1("Wrote %d bytes to client", nbytes); } else break; } else if (FD_ISSET(r->connection->client->fd, &fds)) { Explain0("client->fd was set"); #if defined(WIN32) if ((nbytes = recv(r->connection->client->fd, buffer, HUGE_STRING_LEN, 0)) != 0) { #else if ((nbytes = read(r->connection->client->fd, buffer, HUGE_STRING_LEN)) != 0) { #endif if (nbytes == -1) break; #if defined(WIN32) if (send(sock, buffer, nbytes, 0) == EOF) #else if (write(sock, buffer, nbytes) == EOF) #endif break; Explain1("Wrote %d bytes to server", nbytes); } else break; } else break; /* Must be done waiting */ } else break; } ap_pclosesocket(r->pool, sock); return OK; } --=====================_917755546==_ Content-Type: text/plain; charset="us-ascii" --=====================_917755546==_--
